02 — Regulatory Readiness

Compliance & Audit

What this covers

We review your current security controls against the specific requirements of a regulatory framework — NIS2, ISO 27001, or GDPR Article 32 — and tell you where the gaps are. Then we help you close them in an order that makes operational sense.

We don't hand over a checklist and leave. The output is a remediation plan your IT and legal teams can actually use, not a binder that sits on a shelf until the next audit.

NIS2 Directive

NIS2 took effect in October 2024. Article 21 requires essential and important entities to implement specific technical and organisational security measures. Many mid-sized companies in healthcare, energy, digital infrastructure, and finance are in scope without knowing it.

We start with a scoping assessment to confirm whether you're in scope and under which category. Then we run a structured gap analysis against the ten security areas in Article 21, including risk management, incident response, supply chain security, and access control.

• Regulatory scoping — essential vs important entity classification
• Article 21 gap analysis across all ten security areas
• Incident reporting procedure review and documentation
• Supply chain and third-party risk assessment
• Remediation roadmap with effort estimates

ISO 27001

ISO 27001:2022 certification requires demonstrating a functioning information security management system. We don't certify you — that's a certification body's job — but we assess your current posture against the standard and identify what needs to change before you engage a certifier.

• Context and scope definition (Clause 4)
• Risk assessment methodology review (Clause 6)
• Annex A controls gap analysis (93 controls in the 2022 version)
• Statement of Applicability preparation support
• Internal audit preparation

GDPR security requirements

GDPR Article 32 requires "appropriate technical and organisational measures" to ensure security proportionate to the risk. What that means in practice depends on what data you process and how. We assess your current measures, identify gaps, and document findings in a format that supports your Data Protection Impact Assessments.

• Pseudonymisation and encryption review
• System resilience and backup assessment
• Access control and least privilege review
• Breach detection and reporting capability
• Third-party processor security review

A note on certification

We provide audit and gap analysis services. Formal ISO 27001 certification is issued by accredited certification bodies — separate organisations. We can help you prepare for that process, but we don't issue certifications ourselves and we don't make claims about guaranteed outcomes.